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Introduction 


Lack  of  security  and  privacy  are  two  very 
common  problems  facing  those  involved  with 
computers  today.  Many  people  in  the  computer 
business  are  simply  not  aware  of  or  are 
apathetic  to  ADP  (automated  data  processing) 
security  and  privacy  matters. 

Loss  of  security  and  privacy  is.  however,  a 
very  real  threat  in  today's  highly  automated 
world.  Without  strict  security  and  privacy 
regulations,  data  could  be  lost,  stolen,  or 
manipulated.  Since  much  modern  data  are 
beginning  to  be  stored  in  ADP  systems,  misuse, 
mismanagement,  or  just  plain  carelessness  could 
result  in  major  problems  for  a  great  number  of 
people. 

Some  security  can  be  built  Into  ADP  hardware 
and  software  during  the  developmental  phase, 
but,  at  the  present  time,  no  system  is 
completely  secure.  It  is  the  responsibility  of 
computer  users/custodians  to  maintain  a  high^i 
level  of  security  and  privacy  for  all  computer 
files. 


Because  of  the  obvious  lack  of  awareness 
concerning  security  and  privacy,  the  following 
questions  need  to  be  answered: 

1.  What  do  the  terms  "security"  and 
"privacy "  mean  when  used  in  connection 
with  ADP  hardware  and  software? 

2.  What  happens  when  there  is  a  lack  of 
security?  of  privacy? 

>.  What  are  some  of  fhe  causes  of  this  lack 
of  security  and  privacy? 

4.  Who  has  the  ultimate  responsibility  for 
maintaining  security  and  determining 
privacy  requirements? 

5.  What  are  some  of  the  possible  solutions 
for  these  problems? 
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Security— What  Is  It? 


Accorciiiig  to  Wobsti'r  somntv  is  a  slate  ol 
bi'ing  or  reeling  seiure:  irtH'rioni  troin  tear 
ansietv  danger.  Joiiht  eir .  It  is  also  a  stair*  or 
'•I'lise  ot  satetv  or  rertaintv. 


How  Does  Security  Relate  to  ADP  Systems? 


in  order  to  h.ise  a  srHuit*  AOI’  system  only 
those  with  a  nr'r'd  to-know  should  have*  arrr'ss 
to  (iata  seiunty  also  means  that  data  in  ADP 
s\  stems  should  he  i  orrer  t  and  their  intr'grity 
intart.  In  othr'r  words  st'ruritv  reiers  to  the 
(iiotertion  ot  resourr  (>s  from  damage  anti  the 
protertion  ol  data  against  acridental  or 
Mlentional  (list  Insure  or  unaultiori/t>d 
'iioditK ation  or  dr'struftion 


What  Are  ADP  Systems? 


I  its  |)hysi(  al  ein  in  minent 
_  i'eopie  dealing  with  the  s\ stein 
i  t  ominunitations 
4  I’oiiiii's  and  pint  ('cures 
'  Harriware  and 
•).  sotlwart* 


Why  Is  Security  Such  a  Problem? 


S('turilv  in  ADP  sv  steins  is  iieioinmit  ,i 
(irohlem  in  dirt't  t  (iropoiti m  to  the  im  rease  in 
tilt*  number  ot  ^  omiiuler  stsiems  bet  i  ■mint; 
ayailatile.  ()n(*  maior  risison  i  ominili'rs  Mi  e 
s('t  uiity  (iroblt'ins  is  Petause  met  are  imateo  m 
a  hostile  t'nvironment  smn  t inneialiililt  stems 
from  the  lollotting  tai  to's 

1  t  omnli'snt 
J.  s(ieed  of  opi'ration 
'  \  asl  amounts  ol  data 
4  In.idetiuati*  audit  trails 
4.  1  elet  ominunitations 
(1,  (  om|)litaled  opr'rating  st  stems,  and 
lads  ot  understanding  about  set  urity 
aspt't  ts. 


Aiitoinati'd  data  piott'ssmg  systems  aie 
p.’imariK,  Irul  not  solely,  tomputt'rs.  An  ADP 
stsK'in  IS  essentially  matle  up  ol  six  I'lt'inr'nts 


ir": 


The  security  aspects  of  ADP  systems  can  be 
defined  as: 

1 .  Large  scale  data  bases  containing  sensitive 
information, 

2.  Remote  access  considerations, 

$.  Constant  growth  in  numbers  of  users,  and 

4.  Increase  in  numbers  of  personnel  with 
technical  knowledge  required  to  access 
computer  systems. 

Why  Are  Security  Problems  on  the  Rise? 

In  today's  (.ampler  world,  there  is  an 
increased  dependency  upon  computer  systems 
for  critical  and  sensitive  applications. 

Dependency  also  stems  from  a  lac  k  of  manual 
back  cif'  systems  and  inadequate  contingency 
planning. 

Although  there  is  an  increased  dependency 
upon  computers,  there  has  he  en  apathy  or  a 
lack  of  awareness  concc-ming  security  bc'causc' 
ot  work  exigc'iuies.  flier.'  is  also  the  matter  ot 
limitc'd  resources  'h,tt  rer|uire  careful 
consideration  ot  i  n  .’ities 

In  other  words  because  ot  the  great  demand 
for  tast,  etficient  cctmputc’r  services,  sc'curitv  has 


not  been  completely  and  competently 
maintained. 

Are  There  Any  Other  Security  Problems? 

In  addition  to  the  vulnerabilities  produced  as 
a  by-product  of  the  computer  industry  growth, 
there  are  certain  very  real  threats  to  security 
including; 

1.  Natural  hazards 

•  Fire, 

•  Flood, 

•  .Severe  storm, 

•  Failure  of  electrical  power  (e  g.,  air 
conditioning), 

•  Communications  failure,  and 

•  System  failure. 

2.  Accidental  errors,  omissions,  or  failures 

•  User  errors, 

•  OpcMator  errors. 

•  Data  preparation  c'rrors, 

•  Application  program  errors, 

•  Output  errors 

•  System  errors. 

•  Communication  errors,  and 

•  Inadvertent  release  of  sensitive 
information. 
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What  Can  Be  Done  About  Such  Threats? 


!l  t)«'  (liltKult  It  ndt  ini()()ssiblt“,  to 

pii'wnt  li.itur.il  fi.t/.irds,  Houevtv.  .K((  id(‘i)l.il 
iTiorv  .iinis'.ions  or  liiiliircs.  .md  dolihot.ilc 
1  .iinputiT  .ifiuscs  .iro  [troblems  that  i.iii  ho  k(‘()t 
to  a  mminuim  uith  propor  Miamli'iiaiH  >'  .tnd 
suorillaiu  »■  Alt!inui;h  soi  tints  should  l)«'  huilt 
Mto  a  sssli'iii  no  ssstcni  tat'  ho  rt'allv  soturo 
unli'st  tlio  usof  m.ikos  It  sot  tiro  lo  put  this 
anottiot  uat  tn '  ni.iltur  liou  tnans  sotuntv 
Lt.i'Juotv  iiro  loi-d  ,1  si>(  lire  svstom  is  no  hotloi 
tt'.in  tho  piTsiin  Lisini;  it  Sciurits  rntist  h<‘  a 
piTsiinal  iiMtli'i  uith  osiTt  tomputor  opotatot 
and  iiM’t  in  on  Iff  |m  n.i\  r  a  siitmtii  .ml  imjiai  t 


Who  Is  Actually  Responsible  for  Security? 


It  IS  tho  losponsihilitv  ol  tho  system  designers 
and  manutat  turers  to  huild  security  into  an  ADI’ 
svsttmi.  LKors  have  the  reS[)onsibilitv  to  maintain 
a  c.trt'lul  tsati  h  on  their  sec  urity  prac  tices. 
■Managemcmt  is  also  responsible  since  they 
sliould  set  up  socuritv  roctuirements  and 
regulations  lor  thoir  omt'loyees,  In  addition,  the 
vendors  and  users  should  work  together  to 
dc'tc'rminc'  w  hc)  is  responsible  tor  w  hat 
com|)ut('r  security  tuniticvn. 

It  shrjuld  he  ke|)t  in  mind,  though,  that  when 
a  security  system  is  being  set  up,  rc^quirements 
and  rc’gulations  should  be  easily  understood  and 
workable*  Too  much  restriction  and  too  much 
legulation  are  as  bad  as  too  little  ot  eithet  unt*. 
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What  Roles  Do  Management  and  Users 
Play  in  Security  Problems? 


In  most  cases,  management  plays  a  key  role 
in  the  problems  associated  with  security.  In 
general,  most  managers  are  mission-oriented. 
They  are  more  concerned  with  the  ultimate 
product  than  with  the  production  process. 
Management  has  recently  become  more  aware 
of  the  critical  (troblems  associated  with 
computer  security  and  they  are  taking  strong 
measures  to  resolve  those  problems. 

Individual  users  also  have  problems  with 
security.  There  seems  to  be  a  lack  of  concern 
with  regard  to  system  security.  The  user  has  a 
tendency  to  view  a  computer  as  just  another 
inanimate  object,  and  yet,  this  inanimate  object 
still  presents  a  challenge  to  him.  In  most  cases, 
a  user  will  not  consider  computer  abuse  (on  a 
small  scale)  a  crime.  Computer  system  users  can 
also  be  lax  about  reporting  known  security 
violations  because  they  don't  realize  that  it  can 
jeopardize  their  own  security. 


There  is  also  another  problem  regarding  user 
security.  Many  computer  users  feel  that  the 
classification  of  data  is  the  responsibility  of 
those  involved  with  computer  operation  rather 
than  that  of  computer  users.  In  fact, 
classification  rests  in  the  hands  of  subject  matter 
specialists,  not  computer  operations  people. 

Todays  computer  world  is  marked  by  rapid 
growth  and  extension  of  applications,  continued 
growth  in  the  numbers  of  systems  (especially 
mini-  and  micro-computers),  and  large  increases 
in  the  numbers  of  people  involved  in  data 
processing.  In  such  an  environment, 
management  s  lack  of  involvement  and  users' 
apathy  serve  only  to  compound  the  ADP 
security  problem. 
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Privacy— What  Is  It? 

Wfljstrr  ilt'tiiifs  i)ri\.u\  as  lh<‘  qiialilv  or 
iniiiiitKin  lit  ix'inji  pri\at(''  vviitulr<u\al  irom 
pulilii  \ii‘u  (It  lompativ:  si'i.1um(iii:  si-ircis.  It 
I  ati  also  h('  I  all's  [)ii\ati>  la  (MTSoiial  afiairs. 

How  Does  Privacy  Relate  to  ADP 
Systems? 

!  list  1)1  a  !  iHit'  imist  tcali/f  the  a'l'iinni  I't 
■M'UMlisi'  i'risiifial  (i.Ua  'hat  IS  slortu)  m  tinlas  s 
1  1 1;  I'ptiti'ts  A  pi"si,n'.  I'lititi'  hist('i\  is  ri‘i  Ofili'il 
'll  hill  Mii  ti'i.ini  i.)l  ilata.  'itcilii.il  ii'iiirils.  milit,iiv 
’ill's  aiul  sn  ’t.r'h  A.”,  Al  >1’  System  lirinnii's  a 
'll iri'l'ii liisr  ■'  .alual'U'  t'lil  m  i'iaii\  lascs.  \i'f\ 
ari'.atr  int  i' n  alu  m,  i'nv.'.i  th‘'ii  ri'lns  in  thi' 
:i;(i)s  111  I's  1  , u I'aais  am!  niuam/.itinns  tn 
.ii't'T'na’i  'ill  iht’iiisi'l’si's  isln'H  h()«  am!  in 

(lai  I’vti'iil  iiiinimatinii  almut  llii'ia  is  in  hr 
transMiitiri!  :i  I  ntln'is  l’ii\.ii’.  is  a.ii  issur  tlial 
i;i  'I's  Mr  tu'\  III  111  1  ni’ipuli'i  1  i-nliTs  aiui  i  an  Im 
'linuillit  111  as  a  pnnpli'  (irnlilnin  simn  prnplr. 
Ill  il  iiiai  liini's.  .iili'i  I  It 


Who  Could  Gain  from  Use  of  Personal 
Data? 


A  (W'rsnn  iilin  ^ainmi  acii'ss  to  liaia  t’llns 
willinut  a  nenii-tivknnw  loulii  lausn  main 
(irobinms.  nnl  only  tor  tlin  , ornate  iili/en  liut  h 
iilheis  as  well.  He  or  slie  iiuikl,  inr  exainiile 

1  \laiii[Hilate  data 

J.  MndiK  talsiK  data 

■!.  Al  quire  [im()rie!arv  information  and 
programs 

4.  Alter  stored  programs 
a,  (  hange  master  tiles, 
ir.  All  ess  passwords  algorithms  ni 
Hern  aut[iori/ed  aiiess. 

In  otliei  wolds,  someone  lould  deliheiateK 
aliuse  lomiHiter  tiles  to  alteit  many  as|)eils  ot 
person  s  lile  sin  |i  as  Ins  i  ledit  rating, 
emplinment  leinrds  men  Ins  i ommunits 
standing. 


Has  Anything  Been  Done  to  Prevent  Such 
Acts? 


Congress  passed  the  Privac  y  Act  oi  1074" 
whic  h  sets  up  certain  guidelines  regarding 
privacy  and  data  stored  in  c  omputers  and 
manual  files.  In  essence,  Congress  recognized 
that  a  person  does  have  a  right  to  privacy, 
including  privacy  with  regard  to  personal  filers. 
However,  there  arc>  instances  whc'n  such  files 
would  tie  made  available  to  auttiori/c'd  persons 
upon  recgiest. 

What  Are  the  Custodian's  Responsibilities 
Concerning  Privacy? 

The  custodian  has  a  responsibility  to 
determine'  information  necc'ssary  when  a 
rec^ut'sl  has  tieen  rc'iC'ived  for  file  information 
The'  accuraev  standards  should  also  hc' 
detc'rmined,  along  with  identification  of 
tirotec  tion  rec]uir('ments.  and  the  establishmc'iit 
ot  the  sensitivitv  ot  rec]uest('d  information. 


The  custodian  should  also  determine  how  the 
use  of  the  information  requested  could 
adversely  affec  t  the  particular  individual 
invoivt'd.  He  can  do  this  by  considering  the 
following  criteria: 

1.  What  is  adversef 

2.  What  data  are  vitalf 

.T  What  should  be  done  if  vital  information 
is  in  errorf 

4.  What  should  be  done  if  vital  information 
is  disfiutedf 

s.  What  should  be  done  if  vital  information 
IS  missing? 

h.  How  muc  h  im|>act  will  an  error  c  orrcn  tion 
have  cm  a  system? 

A  determination  should  also  be  made  as  to 
the  '  iieed-to-know . 


Summary  of  ADP  Security/Privacy 
Problems 


What  Can  Be  Done? 


f 


The  typical  problem  areas  with  regard  to 
computer  security  are  as  follows. 

1 ,  Insufficient  emphasis  on  computer 
security  (i.e..  inadequate  security 
planning  c  ontingency  planning), 
lack  of  vulnerability  threat, risk 
assessment, 

f.  lack  ot  management  invoivc'ment  in 
computer  security  issue's,  and 

•4  Lack  of  protection  against  natural 
dis.isters. 

Computer  privac  y  problems  inc  iuefe: 

1  Manipulation  of  data  (modificaticjn  or 
falsification). 

2.  Acquisition  of  proprietary  information 
without  a  need-to-know,'  and 

i.  Linauthori/ed  acquisition  of 
[lasswords  algorithms. 


Security  and  privacy  are  two  very  important 
facets  that  a  society,  which  is  fast  becoming 
automated,  has  to  take  into  account.  Although 
many  things  (  (jnirihutp  to  a  lack  or  loss  of 
security  and  privacy,  the'  mam  ingredients  in 
any  security  or  privacy  (troblem  are  the  people 
involved  with  the  systems.  To  most  people, 
security  and  privacy'  are  nebulous  terms,  and 
rather  than  k'arn  all  the  rules  and  regulations 
cone  erning  them,  they  c  hoitse  to  be  apathetic . 
In  order  for  society  to  have  an  effective  and 
efficient  computerized  network,  nevt  only  the 
systems  themselves,  but  also  all  of  the  people 
involved  with  them,  must  be  geared"  toward 
maintaining  security  and  privacy.  Security  and 
privacy  measures  cannot  be  looked  upon  as 
unimportant  or  not  pertinent,  but  must  become 
an  integral  part  of  the  computer  environment. 
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